snmp-configt

8/3/2019 SNMP-configt

1/16

Copyright 2003Chesapeake NetCraftsmen, Inc. Page 11-1

11-1Copyright 2003, Chesapeake Netcraftsmen

11: Best Practices for Managing CiscoDevices


Objectives

Upon completion of this chapter, youshould be able to

Describe and follow Best Practices forconfiguring Cisco routers to be managed

Configure Cisco devices for network

management


2/16



Topics

SNMP

Syslog

Other Amenities

Time

Best Practices


Configuring Cisco Devices for SNMP 1

Set community strings and enable SNMP

You can add an access list to control whichstations SNMP is accepted from

Rtr(con fig)# snm p-se rver com mu nity public RO

Rtr(con fig)# snm p-se rver com mu nity private RW

Rtr(con fig)# snm p-se rver com mu nity private RW 60

Rtr(config)# access-l ist 60 permit 148.33.1.1


3/16




Enable SNMP traps Specify which management station(s) to send

traps to

Can control which traps go where, by listingspecific traps for each host at the end of thesnmp-server host line

Can selectively enable only some traps withoptions at end of snmp-server enable trap lineOne per line, repeat as needed

Rtr(conf ig)# snm p-server host 14 8 .3 3 .2 .3 publ ic

Rtr(con fig)# snm p-server enable t rap



It is generally a good idea to not enable acouple of the SNMP traps:

The first of these disables traps whensomeone uses the wrong community string If this ever happens, you tend to get many traps

The second disables packaging up syslogmessages and sending them as traps Its generally adequate to just send them once as

syslog messages

no snmp-server enable trap snmp authentication

no snm p-server enable trap syslog


4/16




Need to allow SNMP reboot of router forCiscoWorks IOS upgrades to succeed

Rtr(config)# snm p-server syst em -shutdown



Set system location and contact

Set trap source address to that of loopback 0 foruniformity

Rtr(con fig)# snm p-se rver location Rome , Italy NOC

Rtr(conf ig)# snmp-server contact J ohn Doe, (800) 555 -12 12

Rtr(co nfig)# snm p-se rver trap-source loopback 0


5/16




Interface command to disable up/downtraps

There are many other SNMP settings

Monitoring SNMP

Rtr(co nfig)# inte rface .. .

Rtr(co nfig-if)# no sn m p-server trap link-stat us

Rtr(con fig)# snm p-se rver ?

Rtr# s how snm p

Rtr# de bug snmp packe t

Cautio n: debug

output c an beverbose and cause

problems!


Topics

SNMP

Syslog

Other Amenities

Time

Best Practices


6/16



Enabling Syslog Logging

Send syslog messages to host(s)Repeat as needed to send to multiple hosts

Set logging level (see also next slide)

Set logging source address

Rtr(co nfig)# logging 14 8.3 3 .2.3

Rtr(co nfig)# logging t rap inform ation al

Rtr(config)# logging source-interface loop 0


Logging Levels

When you configurelogging levels, you mayuse the number or thekeyword for the level In the newer IOS

releases

Older ones required theword

This configures therouter to send or showmessages at that levelor more severe levels(lower numberedlevels)

Emergency0

Alerts1

Critical2

Errors3

Warnings4

Notifications5

Informational6

Debug7

Keyword to ConfigureLevel


7/16



Controlling Syslog Logging 1

Turn off console loggingThis protects against having a 9600 baud bottleneck

Turn on logging to buffer (100K of memory)

This keeps a history of logging output in the router

View the buffer with the show logging command(later slide)

Rtr(config)# no logging console

Rtr(config)# logging buffered 100000


Controlling Syslog Logging 2

Synchronized logging: no output of consolemessages or debug output when youre in themiddle of typing a command

Rtr(co nfig)# lin e c on 0

Rtr(config-line)# logging synch

Rtr(conf ig )# l ine vty 0 4

Rtr(config-line)# logging synch


8/16



Checking Logging Status

top#show logging

Syslog logging: enabled (0 messages dropped, 1 messages rate-

limited, 0 flushes, 0 overruns)

Console logging: level debugging, 22 messages logged

Monitor logging: level debugging, 0 messages logged

Buffer logging: level debugging, 1 messages logged

Logging Exception size (0 bytes)

Trap logging: level informational, 26 message lines logged

Logging to 148.33.2.130, 26 message lines logged

Log Buffer (100000 bytes):

%SYS-5-CONFIG_I: Configured from console by vty0 (148.33.2.150)

Press Enter to get past the --More-- and see buffered messages

The 4 ways to view syslog messages, and level of output for each


The 4 Ways to Syslog

Console: settings for output on console

Monitor: settings for what messages you get

when you telnet into the router

Use the terminal monitor command to see themessages for the duration of the telnet session

Or can configure vty lines to permanently monitor,if desired

Buffer: settings for buffered messages in

memory Trap logging: messages sent via syslog to a

management stations


9/16



Topics

SNMP

Syslog

Other Amenities

Time

Best Practices


Setting Idle Timeout

Idle timeout terminates console or telnetsession if you dont type anything

Good security

Annoying in the middle of troubleshooting

To control the idle timeout, canconfigure:

Rtr(config)# line con 0

Rtr(config-line)# exec-timeout 0 0

Rtr(config)# line vty 0 4

Rtr(config-line)# exec-timeout 10 0


10/16



Configuring to Allow RCP

CiscoWorks can use RCP (reliable TCP-basedprotocol) to copy files to/from devices

But you have to permit it on the device first

Configure

Rtr(config)# ip rcmd rcp-enable

Rtr(config)# ip rcmd remote-host cwuser 148.33.2.3

cwuser enable

where 148.33.2.3 is the CW management station

cwuser is the CW default rcp user id, can be changed


Enabling Web Interface to Routers

The Web router interface is enabled byconfiguring:

Rtr(config)# ip http server

The Web interface is really the CLI helppresented as links you can click on


11/16



Topics

SNMP

Syslog

Other Amenities

Time

Best Practices


Configuring Timestamps

You can turn on timestamps for syslog anddebug messages as follows

Rtr(config)# service timestamps log datetimeshow-timezone

Rtr(config)# service timestamps debugdatetime show-timezone

CW Best Practice: use GMT, timezonescan lead to problems


12/16


13/16



Checking NTP

Check on NTP with the show ntp statuscommand

Unsynchronized is bad

top#show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 249.5901 Hz, actual freq is 249.5901 Hz, precision is 2**16

reference time is 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec


Checking NTP

Look for status to be synchronized

top#sho ntp st

Clock is synchronized, stratum 5, reference is 148.33.8.2

nominal freq is 249.5901 Hz, actual freq is 249.5901 Hz, precision is 2**16

reference time is AF3BF74C.F0016C00 (21:45:32.937 EST Sun Feb 28 1993)

clock offset is 4.1810 msec, root delay is 3.22 msec

root dispersion is 1879.62 msec, peer dispersion is 1875.41 msec

top#sho ntp assoc

address ref clock st when poll reach delay offset disp

*~148.33.8.2 127.127.7.1 4 57 64 17 3.2 4.18 1875.4

* master (synced), # master (unsynced), + selected, - candidate, ~configured


14/16



Topics

SNMP

Syslog

Other Amenities

Time

Best Practices


Best Practices 1

Consistent login passwords

Consistent enable passwords

Common SNMP community stringsThink twice about public RO

Do NOT do private as RW string

Use interface description lines

Consistent DNS / host table, or else use

just addressesHPOV netmon gets unhappy with

inconsistent DNS information


15/16



Best Practices 2

CiscoWorks assumes the login promptends in >, enable prompt in #

Do not use the prompt command to

change the prompt!

Send syslog messages to CWworkstation

Send SNMP traps to HPOV workstation


Dont Forget

After you make changes to theconfiguration, you need to:

Rtr# copy run start


16/16

snmp-configt

Documents